[Samba] Idmap not working, "idmap_tdb_common_get_new_id: Refusing allocation of a new unixid"

Gaiseric Vandal gaiseric.vandal at gmail.com
Thu Dec 29 22:06:42 UTC 2016



I have upgraded all my samba servers to 4.4.5 using the updates from the 
package repositories (not compiling from source)

This is a samba classic domain.  Trusts have been established with a 
Windows 2012 based AD domain.     The "wbinfo -i" and "getent passwd" 
commands both fail to allocate a uidNumber.


on one of the domain members I get idmap_tdb errors

    # cat  /var/log/samba/log.winbindd-idmap


    [2016/12/29 12:16:12.182624,  1]
    ../source3/winbindd/idmap_tdb_common.c:140(idmap_tdb_common_allocate_id)
       Error allocating a new GID
    [2016/12/29 12:16:12.183801,  1]
    ../source3/winbindd/idmap_tdb_common.c:67(idmap_tdb_common_allocate_id_action)
       Fatal Error: GID range full!! (max: 6000)
    [2016/12/29 12:16:12.183871,  1]
    ../source3/winbindd/idmap_tdb_common.c:140(idmap_tdb_common_allocate_id)
       Error allocating a new GID
    [2016/12/29 12:16:12.192026,  1]
    ../source3/winbindd/idmap_tdb_common.c:67(idmap_tdb_common_allocate_id_action)
       Fatal Error: GID range full!! (max: 6000)
    [2016/12/29 12:16:12.192108,  1]
    ../source3/winbindd/idmap_tdb_common.c:140(idmap_tdb_common_allocate_id)
       Error allocating a new GID
    [2016/12/29 12:16:12.193241,  1]
    ../source3/winbindd/idmap_tdb_common.c:67(idmap_tdb_common_allocate_id_action)
       Fatal Error: GID range full!! (max: 6000)
    [2016/12/29 12:16:12.193309,  1]
    ../source3/winbindd/idmap_tdb_common.c:140(idmap_tdb_common_allocate_id)
       Error allocating a new GID
    [2016/12/29 13:23:41.514078,  3]
    ../source3/winbindd/idmap_tdb_common.c:157(idmap_tdb_common_get_new_id)
       idmap_tdb_common_get_new_id: Refusing allocation of a new unixid
    for domain'trustedomain'. Currently only supported for the default
    domain "*".
    [2016/12/29 13:23:41.514174,  3]
    ../source3/winbindd/idmap_rw.c:51(idmap_rw_new_mapping)
       Could not allocate id: NT_STATUS_NOT_IMPLEMENTED
    [2016/12/29 13:25:40.161521,  0]
    ../source3/winbindd/winbindd.c:279(winbindd_sig_term_handler)
       Got sig[15] terminate (is_parent=0)
    [2016/12/29 13:26:07.588184,  3]
    ../source3/winbindd/idmap_tdb_common.c:157(idmap_tdb_common_get_new_id)
       idmap_tdb_common_get_new_id: Refusing allocation of a new unixid
    for domain'trustedomain'. Currently only supported for the default
    domain "*".
    [2016/12/29 13:26:07.588335,  3]
    ../source3/winbindd/idmap_rw.c:51(idmap_rw_new_mapping)
       Could not allocate id: NT_STATUS_NOT_IMPLEMENTED
    [2016/12/29 13:27:46.775391,  0]
    ../source3/winbindd/winbindd.c:279(winbindd_sig_term_handler)
       Got sig[15] terminate (is_parent=0)
    [2016/12/29 14:16:25.066651,  0]
    ../source3/winbindd/winbindd.c:279(winbindd_sig_term_handler)
       Got sig[15] terminate (is_parent=0)
    [2016/12/29 14:18:39.172454,  0]
    ../source3/winbindd/winbindd.c:279(winbindd_sig_term_handler)
       Got sig[15] terminate (is_parent=0)



smb.conf included


      idmap config * : backend  = tdb
      idmap config * : range =  5000-6000


      idmap config MYDOMAIN : backend  = nss
      idmap config MYDOMAIN : range = 100-300


     idmap config TRUSTEDDOMAIN : backend  = tdb
     idmap config TRUSTEDDOMAIN : range = 30000-39999



I tried excluding the TRUSTEDDOMAIN   or the default * idmap entry but 
neither helped.



Actually I would prefer to have the TRUSTEDDOMAIN use LDAP or AD as the 
idmap backend to keep mappings consistent across all machines but it 
seemed simplest to make sure tdb backend worked and then try changing 
the backend.


Thanks





On 12/19/16 17:17, Gaiseric Vandal wrote:
> On both Samba 4.5.1 member server and Samba 3.6.25 member server I 
> tried the following command
>
>
>     wbinfo –set-uid-mapping=35049,S-1-5-21-xx-xx-xxx-xxx
>
>
> this should have created a mapping entry consistent with the one on 
> the domain controller for a trusted user
>
> But I got the following error
>
>     failed to call wbcSetUidMapping: WBC_ERR_NOT_IMPLEMENTED
>
>
>
>
> As far as I can tell from network captures and looking at logs on the 
> PDC, any "wbinfo" commands on the member servers  only query the PDC 
> for their own domain, even if they are querying info on users from a 
> trusted domain.
>
> wbinfo -a (--authenticate) does work from member servers
>
>
>
>     # /usr/local/samba/bin/wbinfo -a "TRUSTEDDOMAIN\someuser "
>     EnterTRUSTEDDOMAIN\someuserr's password:
>     plaintext password authentication succeeded
>     Enter TRUSTEDDOMAIN\someuser's password:
>     challenge/response password authentication succeeded
>     #
>
>
>
> On 12/14/16 14:46, Gaiseric Vandal wrote:
>> On a samba 4.5.1 domain controllers (PDC and BDC), classic domain   , 
>> LDAP is used as the backend for both user accounts AND for the 
>> idmapping of trusted domains .  Partial smb.conf below
>>
>>     workgroup = THISDOMAIN
>>     security = user
>>     passdb backend = ldapsam:ldap://xxxxxxxxxxxxxxxxx
>>
>>     idmap config * : backend  = tdb
>>     idmap config * : range =  5000-6000
>>
>>
>>     idmap config THISDOMAIN : backend  = nss
>>     idmap config THISDOMAIN : range = 100-300
>>
>>
>>     idmap config TRUSTEDDOMAIN:backend = ldap
>>     idmap config TRUSTEDDOMAIN:readonly = no
>>     idmap config TRUSTEDDOMAIN:default=no
>>     idmap config TRUSTEDDOMAIN:ldap_base_dn = ou=xxxxxxxxxx
>>     idmap config TRUSTEDDOMAIN:ldap_user_dn = xxxxxxxxx
>>     idmap config TRUSTEDDOMAIN:ldap_url = ldap://xxxxxxxxxxx
>>     idmap config TRUSTEDDOMAIN:range = 30000-39999
>>
>>
>>
>> On the 4.5.1 domain members I have tried TDB backend for trusted 
>> domains idmapping ...
>>
>>
>>     idmap config TRUSTEDDOMAIN : backend  = tdb
>>     idmap config TRUSTEDDOMAIN : range = 30000-39999
>>
>>
>>
>>
>> ...and I have tried LDAP backend
>>
>>     idmap config TRUSTEDDOMAIN:backend = ldap
>>     idmap config TRUSTEDDOMAIN:readonly = no
>>     idmap config TRUSTEDDOMAIN:default=no
>>     idmap config TRUSTEDDOMAIN:ldap_base_dn = ou=xxxxxxxxxx
>>     idmap config TRUSTEDDOMAIN:ldap_user_dn = xxxxxxxxx
>>     idmap config TRUSTEDDOMAIN:ldap_url = ldap://xxxxxxxxxxx
>>     idmap config TRUSTEDDOMAIN:range = 30000-39999
>>
>>
>>
>>
>>
>>
>>
>> But idmap fails regardless on the domain members.
>>
>>      # /usr/local/samba/bin/wbinfo  -n "THISDOMAIN\myname"
>>     S-1-5-21-xxx-xxx-xxx-xxx SID_USER (1)
>>
>>      # /usr/local/samba/bin/wbinfo  -i "THISDOMAIN\myname"
>>     THISDOMAIN\myname:*:123:100:My Name
>>     :/home/THISDOMAIN/myname:/bin/false
>>
>>
>>      # /usr/local/samba/bin/wbinfo  -n "TRUSTEDUSER\someuser"
>>     S-1-5-21-xxx-xxx-xxx-xxx SID_USER (1)
>>
>>     # /usr/local/samba/bin/wbinfo  -i  "TRUSTEDUSER\someuser"
>>     failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>>     Could not get info for user  TRUSTEDUSER\someuser
>>     #
>>
>>
>>      # /usr/local/samba/bin/wbinfo  --allocate-uid
>>
>>     failed to call wbcAllocateUid: WBC_ERR_DOMAIN_NOT_FOUND
>>     Could not allocate a uid
>>      #
>>
>>
>>
>> I could never get idmapping for trusted domains working on member 
>> servers with samba 3.6.x either.
>>
>>
>> It seems that wbinfo just doesn't like trusted domains.
>>
>>
>> I am presuming that I can only use idmap ad  backend  for my "own" 
>> domain (if I were in an AD domain) and not for trusted domains.    I 
>> also suspect that idmap ldap backend is only valid on domain 
>> controllers.
>>
>>
>> Appreciate any help.
>>
>> Thanks
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On 12/13/16 09:51, Gaiseric Vandal wrote:
>>> Running a mix of samba versions (3.6.25 and 4.5.1)  in two domains-  
>>> one "classic" (with samba domain controllers) and one AD (with 
>>> windows domain controllers.) The eventual goal is to drop the 
>>> classic domain in favor of the AD domain.   Also trying to move from 
>>> samba 3.x to 4.x since Samba 3 is EOL'd.
>>>
>>>
>>> the "wbinfo -u" command will list users in the servers domain but 
>>> not trusted domains.   However the "wbinfo -n" comand (e.g. "wbinfo 
>>> -n TRUSTEDDOMAIN\username") does return the user's SID, and "getent 
>>> passwd" may be able to show the trusted user (depending on idmap 
>>> config.)
>>>
>>>
>>> Typical winbind settings are
>>>
>>>
>>>  # testparm -v | grep winbind
>>> ....
>>>
>>>         winbind separator = \
>>>         winbind cache time = 300
>>>         winbind reconnect delay = 30
>>>         winbind max clients = 200
>>>         winbind enum users = Yes
>>>         winbind enum groups = Yes
>>>         winbind use default domain = No
>>>         winbind trusted domains only = No
>>>         winbind nested groups = Yes
>>>         winbind expand groups = 1
>>>         winbind nss info = template
>>>         winbind refresh tickets = No
>>>         winbind offline logon = No
>>>         winbind normalize names = No
>>>         winbind rpc only = No
>>>         winbind max domain connections = 1
>>> #
>>>
>>> Changing "winbind use default domain" or "winbind trusted domains 
>>> only" to yes will change the how the own domain users are displayed 
>>> ("MYDOMAIN\username" vs "username")
>>>
>>>
>>> Logs show errors about winbind not being able to to connect to 
>>> either the own or trusted domains when I restart the winbind svc.    
>>> It seems like winbind has issues when it starts but then future 
>>> "wbinfo -n" lookups do connect.   "wbinfo -D TRUSTDOMAIN" works.
>>>
>>> I used to run just samba 3.6.25 in classic domain.  Trusts with AD 
>>> domains were fine uninstall the various BADLOCK related patches came 
>>> out for windows.    Samba 3.6.25 with backported badlock patches 
>>> seemed to fix trusts issues with domains BUT broke windows client 
>>> logins.       I think I just need to get away from samba 3 (and 
>>> classic domains) or I will continue to have issues with the latest 
>>> versions of windows.
>>>
>>>
>>>
>>>
>>> thanks
>>>
>>>
>>>
>>>
>>>
>>
>



More information about the samba mailing list